Per discussion on the Automation WG call today, the pilot using a private MITRE-hosted GIT repository to investigate the requirements surrounding the automation of updating and retrieving the CVE JSON data is beginning today. Dave Waltermire
of NIST was present and in agreement with moving the pilot forward. It was also suggested that a notice be sent to the Board to let them know that the pilot has begun.

You read my mind. The intent is not to figure out if GIT is the answer it is find out what the requirements the answer must meet. GIT just happens to be the vehicle that we are using at the moment to find the answer. I think having a
discussion on the CNA list about GIT would be premature since I am not convinced that it would even be appropriate as the eventual solution. And as for other pilots, this pilot does not necessarily preclude other pilots, join the list (or the calls) and start
making suggestions.

Maybe this all just comes down to terminology and intent. Your response focuses on GIT, but I don’t think this is the focus of the pilot at all.

What do we actually mean when we say “pilot” in this case. Harold and George can correct me if I am wrong, but this is really just a test that happens to use GIT. Harold made the statement in the beginning of this thread that “All participants
should understand that this is only a pilot and as such there is no guarantee that any eventual solution will look anything like the pilot.” This means that GIT isn’t the chosen solution and shouldn’t be the focus at this point. However, if it works well as
an option then maybe we might be open to using it as a part or even a major part of the solution. We won’t know until we give it a try right?

Additionally, the intent of the pilot is to “investigate the requirements surrounding the automation of updating and retrieving the CVE JSON data.” Also stated was ‘We hope to learn not only what features are necessary to support the “plumbing”
of sending and receiving the data, but also what attributes and metadata are needed in the CVE format to support automation.’ Are there other alternatives to support this intent, yes. A couple have been raised and I would agree that the Automation WG should
investigate those as well. IMO though, I don’t think the WG should wait on identifying those alternatives before trying out the current one.

Last, This approach has already been developed in cooperation with a handful of CNAs as they are on the Automation WG. Based on the language of Harold’s email, the pilot would be limited to those CNAs and would not be broadly applicable
to all CNAs. Again, Harold or George can correct me if I am wrong on this.

As I raised on the last board call, I have concerns with using GIT as a content management solution for CVE entries, since it has some limitations.

1) It is unknown if the CNA community will want to use this solution. If they won’t adopt the approach eventually, then a pilot is a non-starter.

2) A centralized solution for content management may not fit a hierarchical organization of CNAs. We generally want CVE information to flow towards the root CAN and then to the list. Not all CNA hierarchies may wish to publish centrally.
It might be better to look at a syndication approach which might better align with this type of organizational structure. Perhaps this should be piloted at the same time, allowing for a comparison to be made?

3) GIT requires a copy of the repo to be downloaded, with all the history which can be quite large. Some pruning of history may be possible, mitigating this issue. This should be investigated as part of the pilot. If GitHub is used I believe
there is a 100 MB file size limit and a 1GB soft limit and a 2 GB hard limit on all repos, with a we have a 2TB limit. This could also pose a problem.

4) GIT does not have a way to search entries. A separate service will need to be built on top to support this, which complicates deployments.

I am sure there are other concerns I am missing.

I’d like to see the following occur before moving forward with this pilot:

1) Discussion of the GIT approach on the CNA list to explore if there are major concerns with its use before moving forward.

2) Discussion within the automation WG / board lists about alternate approaches that may be piloted as well. These should also be discussed on the CNA list before moving forward with a pilot.

Per discussion on the last board call it has been requested that all WGs send a brief notice to the board to both inform the board and provide an opportunity for the board to give input on any pilots.

The CVE Automation Working Group is proposing to run a pilot using a private MITRE-hosted GIT repository to investigate the requirements surrounding the automation of updating and retrieving the CVE JSON data. We hope to learn not only
what features are necessary to support the “plumbing” of sending and receiving the data, but also what attributes and metadata are needed in the CVE format to support automation. Participants will be MITRE and members of the CVE Auto WG with the goal for participants
to update their CVEs using the format in the GIT repo and for participants to update and receive updated information through the GIT repo. Participants will be the only ones with access to the GIT repository. All participants should understand that this is
only a pilot and as such there is no guarantee that any eventual solution will look anything like the pilot. Initial proposed pilot is planned to run no later than through August 21st and if we need to extend the pilot we will come back to the board to request
an extension.

Unless there are any sustained objections the pilot will start in earnest on May 15th (the next CVE auto WG call).